Track OpenID Token

We are using Vikunja 0.24.6 paired with Keycloak as our OpenID provider. In our config.yml we have defined its contents as follows:

auth:
  local:
    enabled: false
  openid:
    enabled: true
    redirecturl: "https://<vikunja-domain>/auth/openid/"
    providers:
      - name: keycloak
        authurl: "https://domain.com/realms/<realm>"
        logouturl: "https://domain.com/realms/<realm>/protocol/openid-connect/logout?redirect_uri=<redirect-uri-urlencoded>"
        clientid: "vikunja-app"
        clientsecret: "mysecret"
        scope: "openid profile email"

The problem is when you logout, you’re redirected to Keycloak where you will click another logout button and then Keycloak presents a logout confirmation page because the logout endpoint was not provided an id_token_hint parameter.

It would be super helpful if Vikunja could make the OpenID token from authentication available for this logout endpoint, so that when the logout endpoint is called, the user will be automatically redirected to the redirect_uri rather than the URI being ignored and a confirmation shown.

Could this be possible?

Is that the original auth token which was obtained from Keycloak?

Is there any official documentation about how that works? Is it Keycloak specific?

Yes, that’s correct.

I don’t think it’s Keycloak specific. If you look at the OpenID Connect specification, found here in section 2.RP-Initiated Logout, you’ll see that a id_token_hint is recommended.

That said, I’ve reached out to the Keycloak team internally to see whether or not I can get any further details in case I may have missed something. When I hear something, I’ll let you know.